src/Security/AccessVoter.php line 11

Open in your IDE?
  1. <?php
  3. namespace App\Security;
  5. use App\DBAL\Types\AccessRoleType;
  6. use App\Entity;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
  9. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  11. class AccessVoter extends Voter
  12. {
  13.     public const SYSTEM_ADMIN 'SYSTEM_ADMIN';
  14.     public const DATA_EXPORT 'DATA_EXPORT';
  15.     public const VIEW_REPORTS 'VIEW_REPORTS';
  16.     public const VIEW_WIDGETS 'VIEW_WIDGETS';
  18.     public const ACTION_CREATE 'ACTION_CREATE';
  19.     public const ACTION_EDIT 'ACTION_EDIT';
  20.     public const ACTION_DELETE 'ACTION_DELETE';
  21.     public const VIEW_OPPORTUNITIES 'VIEW_OPPORTUNITIES';
  23.     public const OBJECT_USER 'OBJECT_USER';
  24.     public const OBJECT_CHAT 'OBJECT_CHAT';
  25.     public const OBJECT_FILTER 'OBJECT_FILTER';
  26.     public const OBJECT_LEAD 'OBJECT_LEAD';
  27.     public const OBJECT_LEAD_COMMENT 'OBJECT_LEAD_COMMENT';
  28.     public const OBJECT_CUSTOMER 'OBJECT_CUSTOMER';
  29.     public const OBJECT_CUSTOMER_INTERVIEW_FORM 'OBJECT_CUSTOMER_INTERVIEW_FORM';
  30.     public const OBJECT_CUSTOMER_INTERVIEW_NOTE 'OBJECT_CUSTOMER_INTERVIEW_NOTE';
  31.     public const OBJECT_CUSTOMER_GOAL_TIME 'OBJECT_CUSTOMER_GOAL_TIME';
  32.     public const OBJECT_CUSTOMER_INVOICE 'OBJECT_CUSTOMER_INVOICE';
  33.     public const OBJECT_CUSTOMER_TRANSACTION 'OBJECT_CUSTOMER_TRANSACTION';
  34.     public const OBJECT_CUSTOMER_MESSAGE 'OBJECT_CUSTOMER_MESSAGE';
  35.     public const OBJECT_CUSTOMER_LETTER 'OBJECT_CUSTOMER_LETTER';
  36.     public const OBJECT_CUSTOMER_FILE 'OBJECT_CUSTOMER_FILE';
  37.     public const OBJECT_CUSTOMER_EVENT 'OBJECT_CUSTOMER_EVENT';
  38.     public const OBJECT_CUSTOMER_EVENT_COMMENT 'OBJECT_CUSTOMER_EVENT_COMMENT';
  39.     public const OBJECT_CUSTOMER_COMPLAINT 'OBJECT_CUSTOMER_COMPLAINT';
  40.     public const OBJECT_CUSTOMER_COMPLAINT_COMMENT 'OBJECT_CUSTOMER_COMPLAINT_COMMENT';
  41.     public const OBJECT_CUSTOMER_UPSELL_REQUEST 'OBJECT_CUSTOMER_UPSELL_REQUEST';
  42.     public const OBJECT_CUSTOMER_UPSELL_REQUEST_COMMENT 'OBJECT_CUSTOMER_UPSELL_REQUEST_COMMENT';
  43.     public const OBJECT_CUSTOMER_TAX_RETURN 'OBJECT_CUSTOMER_TAX_RETURN';
  44.     public const OBJECT_CUSTOMER_TAX_RETURN_COMMENT 'OBJECT_CUSTOMER_TAX_RETURN_COMMENT';
  45.     public const OBJECT_CUSTOMER_STATUS_LOG 'OBJECT_CUSTOMER_STATUS_LOG';
  46.     public const OBJECT_CUSTOMER_RATING_LOG 'OBJECT_CUSTOMER_RATING_LOG';
  47.     public const OBJECT_CUSTOMER_REQUEST 'OBJECT_CUSTOMER_REQUEST';
  48.     public const OBJECT_EVENT 'OBJECT_EVENT';
  49.     public const OBJECT_EVENT_COMMENT 'OBJECT_EVENT_COMMENT';
  50.     public const OBJECT_PROJECT 'OBJECT_PROJECT';
  51.     public const OBJECT_PROJECT_CARD 'OBJECT_PROJECT_CARD';
  52.     public const OBJECT_PROJECT_ITEM 'OBJECT_PROJECT_ITEM';
  53.     public const OBJECT_PROJECT_COMMENT 'OBJECT_PROJECT_COMMENT';
  54.     public const OBJECT_PROJECT_WHITEBOARD 'OBJECT_PROJECT_WHITEBOARD';
  55.     public const OBJECT_FEED 'OBJECT_FEED';
  56.     public const OBJECT_FEED_OPTION 'OBJECT_FEED_OPTION';
  57.     public const OBJECT_FEED_COMMENT 'OBJECT_FEED_COMMENT';
  58.     public const OBJECT_ISSUE 'OBJECT_ISSUE';
  59.     public const OBJECT_ISSUE_COMMENT 'OBJECT_ISSUE_COMMENT';
  60.     public const OBJECT_STREAM 'OBJECT_STREAM';
  61.     public const OBJECT_STREAM_COMMENT 'OBJECT_STREAM_COMMENT';
  62.     public const OBJECT_MESSAGE 'OBJECT_MESSAGE';
  63.     public const OBJECT_NOTIFICATION 'OBJECT_NOTIFICATION';
  64.     public const OBJECT_REPORT 'OBJECT_REPORT';
  65.     public const OBJECT_WIDGET 'OBJECT_WIDGET';
  67.     /** @var AccessDecisionManagerInterface */
  68.     private $decisionManager;
  70.     /**
  71.      * @param AccessDecisionManagerInterface $decisionManager
  72.      */
  73.     public function __construct(AccessDecisionManagerInterface $decisionManager)
  74.     {
  75.         $this->decisionManager $decisionManager;
  76.     }
  78.     /**
  79.      * {@inheritdoc}
  80.      */
  81.     protected function supports($attribute$subject)
  82.     {
  83.         list($attribute) = explode('|'$attribute);
  85.         // if the attribute isn't one we support, return false
  86.         if (!\in_array($attribute, [
  87.             self::SYSTEM_ADMIN,
  88.             self::DATA_EXPORT,
  89.             self::VIEW_REPORTS,
  90.             self::VIEW_WIDGETS,
  92.             self::OBJECT_USER,
  93.             self::OBJECT_CHAT,
  94.             self::OBJECT_FILTER,
  95.             self::OBJECT_LEAD,
  96.             self::OBJECT_LEAD_COMMENT,
  97.             self::OBJECT_CUSTOMER,
  98.             self::OBJECT_CUSTOMER_INTERVIEW_FORM,
  99.             self::OBJECT_CUSTOMER_INTERVIEW_NOTE,
  100.             self::OBJECT_CUSTOMER_GOAL_TIME,
  101.             self::OBJECT_CUSTOMER_INVOICE,
  102.             self::OBJECT_CUSTOMER_TRANSACTION,
  103.             self::OBJECT_CUSTOMER_MESSAGE,
  104.             self::OBJECT_CUSTOMER_LETTER,
  105.             self::OBJECT_CUSTOMER_FILE,
  106.             self::OBJECT_CUSTOMER_EVENT,
  107.             self::OBJECT_CUSTOMER_EVENT_COMMENT,
  108.             self::OBJECT_CUSTOMER_UPSELL_REQUEST,
  109.             self::OBJECT_CUSTOMER_UPSELL_REQUEST_COMMENT,
  110.             self::OBJECT_CUSTOMER_TAX_RETURN,
  111.             self::OBJECT_CUSTOMER_TAX_RETURN_COMMENT,
  112.             self::OBJECT_CUSTOMER_COMPLAINT,
  113.             self::OBJECT_CUSTOMER_COMPLAINT_COMMENT,
  114.             self::OBJECT_CUSTOMER_STATUS_LOG,
  115.             self::OBJECT_CUSTOMER_RATING_LOG,
  116.             self::OBJECT_CUSTOMER_REQUEST,
  117.             self::OBJECT_EVENT,
  118.             self::OBJECT_EVENT_COMMENT,
  119.             self::OBJECT_PROJECT,
  120.             self::OBJECT_PROJECT_CARD,
  121.             self::OBJECT_PROJECT_ITEM,
  122.             self::OBJECT_PROJECT_COMMENT,
  123.             self::OBJECT_PROJECT_WHITEBOARD,
  124.             self::OBJECT_FEED,
  125.             self::OBJECT_FEED_OPTION,
  126.             self::OBJECT_FEED_COMMENT,
  127.             self::OBJECT_ISSUE,
  128.             self::OBJECT_ISSUE_COMMENT,
  129.             self::OBJECT_STREAM,
  130.             self::OBJECT_STREAM_COMMENT,
  131.             self::OBJECT_MESSAGE,
  132.             self::OBJECT_NOTIFICATION,
  133.             self::OBJECT_REPORT,
  134.             self::OBJECT_WIDGET,
  135.         ])) {
  136.             return false;
  137.         }
  139.         // only vote on X objects inside this voter
  140.         if (!(!$subject
  141.             || (self::OBJECT_USER === $attribute && $subject instanceof Entity\User)
  142.             || (self::OBJECT_CHAT === $attribute && $subject instanceof Entity\Chat\Chat)
  143.             || (self::OBJECT_FILTER === $attribute && $subject instanceof Entity\Filter)
  144.             || (self::OBJECT_LEAD === $attribute && $subject instanceof Entity\Lead\Lead)
  145.             || (self::OBJECT_LEAD_COMMENT === $attribute && $subject instanceof Entity\Lead\Comment)
  146.             || (self::OBJECT_CUSTOMER === $attribute && $subject instanceof Entity\Customer\Customer)
  147.             || (self::OBJECT_CUSTOMER_INTERVIEW_FORM === $attribute && $subject instanceof Entity\Customer\InterviewForm)
  148.             || (self::OBJECT_CUSTOMER_INTERVIEW_NOTE === $attribute && $subject instanceof Entity\Customer\InterviewNote)
  149.             || (self::OBJECT_CUSTOMER_GOAL_TIME === $attribute && $subject instanceof Entity\Customer\GoalTime)
  150.             || (self::OBJECT_CUSTOMER_INVOICE === $attribute && $subject instanceof Entity\Customer\Invoice)
  151.             || (self::OBJECT_CUSTOMER_TRANSACTION === $attribute && $subject instanceof Entity\Customer\Transaction)
  152.             || (\in_array($attribute, [self::OBJECT_MESSAGEself::OBJECT_CUSTOMER_MESSAGE]) && $subject instanceof Entity\Customer\Message)
  153.             || (self::OBJECT_CUSTOMER_LETTER === $attribute && $subject instanceof Entity\Customer\Letter)
  154.             || (self::OBJECT_CUSTOMER_FILE === $attribute && $subject instanceof Entity\Customer\File)
  155.             || (self::OBJECT_CUSTOMER_COMPLAINT === $attribute && $subject instanceof Entity\Customer\Complaint)
  156.             || (self::OBJECT_CUSTOMER_COMPLAINT_COMMENT === $attribute && $subject instanceof Entity\Customer\Comment\ComplaintComment)
  157.             || (self::OBJECT_CUSTOMER_UPSELL_REQUEST === $attribute && $subject instanceof Entity\Customer\UpsellRequest)
  158.             || (self::OBJECT_CUSTOMER_UPSELL_REQUEST_COMMENT === $attribute && $subject instanceof Entity\Customer\Comment\UpsellRequestComment)
  159.             || (self::OBJECT_CUSTOMER_TAX_RETURN === $attribute && $subject instanceof Entity\Customer\TaxReturn)
  160.             || (self::OBJECT_CUSTOMER_TAX_RETURN_COMMENT === $attribute && $subject instanceof Entity\Customer\Comment\TaxReturnComment)
  161.             || (self::OBJECT_CUSTOMER_STATUS_LOG === $attribute && $subject instanceof Entity\Customer\StatusLog)
  162.             || (self::OBJECT_CUSTOMER_RATING_LOG === $attribute && $subject instanceof Entity\Customer\RatingLog)
  163.             || (self::OBJECT_CUSTOMER_REQUEST === $attribute && $subject instanceof Entity\Customer\Request)
  164.             || (\in_array($attribute, [self::OBJECT_EVENTself::OBJECT_CUSTOMER_EVENT]) && $subject instanceof Entity\Event\Event)
  165.             || (\in_array($attribute, [self::OBJECT_EVENT_COMMENTself::OBJECT_CUSTOMER_EVENT_COMMENT]) && $subject instanceof Entity\Event\Comment)
  166.             || (self::OBJECT_PROJECT === $attribute && $subject instanceof Entity\Project\Project)
  167.             || (self::OBJECT_PROJECT_CARD === $attribute && $subject instanceof Entity\Project\Card)
  168.             || (self::OBJECT_PROJECT_ITEM === $attribute && $subject instanceof Entity\Project\Item)
  169.             || (self::OBJECT_PROJECT_COMMENT === $attribute && $subject instanceof Entity\Project\Comment)
  170.             || (self::OBJECT_PROJECT_WHITEBOARD === $attribute && $subject instanceof Entity\Project\Whiteboard)
  171.             || (self::OBJECT_FEED === $attribute && $subject instanceof Entity\Feed\Feed)
  172.             || (self::OBJECT_FEED_OPTION === $attribute && $subject instanceof Entity\Feed\Option)
  173.             || (self::OBJECT_FEED_COMMENT === $attribute && $subject instanceof Entity\Feed\Comment)
  174.             || (self::OBJECT_ISSUE === $attribute && $subject instanceof Entity\Issue\Issue)
  175.             || (self::OBJECT_ISSUE_COMMENT === $attribute && $subject instanceof Entity\Issue\Comment)
  176.             || (self::OBJECT_STREAM === $attribute && $subject instanceof Entity\Stream\Stream)
  177.             || (self::OBJECT_STREAM_COMMENT === $attribute && $subject instanceof Entity\Stream\Comment)
  178.             || (self::OBJECT_NOTIFICATION === $attribute && $subject instanceof Entity\Notification)
  179.             || (self::OBJECT_REPORT === $attribute && $subject instanceof Entity\Report)
  180.             || (self::OBJECT_WIDGET === $attribute && $subject instanceof Entity\Widget)
  181.         )) {
  182.             return false;
  183.         }
  185.         return true;
  186.     }
  188.     /**
  189.      * {@inheritdoc}
  190.      */
  191.     protected function voteOnAttribute($attribute$subjectTokenInterface $token)
  192.     {
  193.         $tmp explode('|'$attribute);
  194.         $attribute $tmp[0];
  195.         $action $tmp[1] ?? null;
  196.         switch ($action) {
  197.             case self::ACTION_CREATE:
  198.                 $action AccessRoleType::CREATE;
  199.                 break;
  201.             case self::ACTION_EDIT:
  202.                 $action AccessRoleType::EDIT;
  203.                 break;
  205.             case self::ACTION_DELETE:
  206.                 $action AccessRoleType::DELETE;
  207.                 break;
  209.             case self::VIEW_OPPORTUNITIES:
  210.                 break;
  212.             default:
  213.                 $action null;
  214.         }
  216.         $user $token->getUser();
  218.         // the user must be logged in; if not, deny access
  219.         if (!$user instanceof Entity\User) {
  220.             return false;
  221.         }
  223.         // ROLE_ADMIN can do anything!
  224.         if ($this->decisionManager->decide($token, ['ROLE_ADMIN']) || $user->isAllowSystemAdmin()) {
  225.             return true;
  226.         }
  228.         if (self::DATA_EXPORT === $attribute && $user->isAllowDataExport()) {
  229.             return true;
  230.         }
  232.         if (self::VIEW_REPORTS === $attribute && $user->hasAccessToReport()) {
  233.             return true;
  234.         }
  236.         if (self::VIEW_WIDGETS === $attribute/*  && $user->hasAccessToWidget() */) {
  237.             return true;
  238.         }
  240.         // you can only perform self actions
  241.         if (self::OBJECT_USER === $attribute
  242.             && $subject instanceof User
  243.             && $subject->getId() === $user->getId()
  244.         ) {
  245.             return true;
  246.         }
  248.         // check access via team
  249.         if (!$subject
  250.             && \in_array($attribute, [
  251.                 self::OBJECT_LEAD,
  252.                 self::OBJECT_CUSTOMER,
  253.                 self::OBJECT_EVENT,
  254.                 self::OBJECT_PROJECT,
  255.                 self::OBJECT_FEED,
  256.                 self::OBJECT_ISSUE,
  257.                 self::OBJECT_STREAM,
  258.                 self::OBJECT_MESSAGE,
  259.             ])
  260.             && $user->hasEntityAccess(substr(strtolower($attribute), 7), $action)
  261.         ) {
  262.             return true;
  263.         }
  264.         if (!$subject
  265.             && \in_array($attribute, [
  266.                 self::OBJECT_CUSTOMER_INTERVIEW_FORM,
  267.                 self::OBJECT_CUSTOMER_INTERVIEW_NOTE,
  268.                 self::OBJECT_CUSTOMER_GOAL_TIME,
  269.                 self::OBJECT_CUSTOMER_INVOICE,
  270.                 self::OBJECT_CUSTOMER_TRANSACTION,
  271.                 self::OBJECT_CUSTOMER_MESSAGE,
  272.                 self::OBJECT_CUSTOMER_LETTER,
  273.                 self::OBJECT_CUSTOMER_FILE,
  274.                 self::OBJECT_CUSTOMER_EVENT,
  275.                 self::OBJECT_CUSTOMER_EVENT_COMMENT,
  276.                 self::OBJECT_CUSTOMER_UPSELL_REQUEST,
  277.                 self::OBJECT_CUSTOMER_UPSELL_REQUEST_COMMENT,
  278.                 self::OBJECT_CUSTOMER_TAX_RETURN,
  279.                 self::OBJECT_CUSTOMER_TAX_RETURN_COMMENT,
  280.                 self::OBJECT_CUSTOMER_COMPLAINT,
  281.                 self::OBJECT_CUSTOMER_COMPLAINT_COMMENT,
  282.                 self::OBJECT_CUSTOMER_STATUS_LOG,
  283.                 self::OBJECT_CUSTOMER_RATING_LOG,
  284.                 self::OBJECT_CUSTOMER_REQUEST,
  285.             ])
  286.             && $user->hasEntityAccess(substr(strtolower(self::OBJECT_CUSTOMER), 7), AccessRoleType::EDIT)
  287.         ) {
  288.             return true;
  289.         }
  291.         if ($subject) {
  292.             // reject subjects connected to other users
  293.             if (\in_array($attribute, [
  294.                 self::OBJECT_FILTER,
  295.                 self::OBJECT_NOTIFICATION,
  296.             ]) && (!$subject->getUser()
  297.                 || $subject->getUser()->getId() !== $user->getId()
  298.             )) {
  299.                 return false;
  300.             }
  302.             // allow non-configured permission subjects
  303.             if (\in_array($attribute, [
  304.                 self::OBJECT_FILTER,
  305.                 self::OBJECT_NOTIFICATION,
  306.             ])) {
  307.                 return true;
  308.             }
  310.             // access to chat
  311.             if (self::OBJECT_CHAT === $attribute) {
  312.                 return $subject->hasParticipantByUser($user);
  313.             }
  315.             // access to reports
  316.             if (self::OBJECT_REPORT === $attribute) {
  317.                 return $user->hasAccessToReport($subject);
  318.             }
  320.             // access to widgets
  321.             if (self::OBJECT_WIDGET === $attribute) {
  322.                 return $user->hasAccessToWidget($subject);
  323.             }
  325.             // no user asigned
  326.             if (!method_exists($subject'getUser') || !$creator $subject->getUser()) {
  327.                 return true;
  328.             }
  330.             /*
  331.             // creator is me
  332.             if ($user->getId() === $creator->getId()) {
  333.                 return true;
  334.             }
  335.             */
  337.             if (\in_array($attribute, [
  338.                 self::OBJECT_LEAD_COMMENT,
  339.                 self::OBJECT_EVENT_COMMENT,
  340.                 self::OBJECT_PROJECT_COMMENT,
  341.                 self::OBJECT_FEED_COMMENT,
  342.                 self::OBJECT_ISSUE_COMMENT,
  343.                 self::OBJECT_STREAM_COMMENT,
  344.             ])) {
  345.                 $attribute substr($attribute0, -8);
  346.             }
  347.             if (\in_array($attribute, [
  348.                 self::OBJECT_PROJECT_CARD,
  349.                 self::OBJECT_PROJECT_ITEM,
  350.             ])) {
  351.                 $attribute substr($attribute0, -5);
  352.             }
  353.             if (\in_array($attribute, [
  354.                 self::OBJECT_PROJECT_WHITEBOARD,
  355.             ])) {
  356.                 $attribute substr($attribute0, -12);
  357.             }
  358.             if (\in_array($attribute, [
  359.                 self::OBJECT_FEED_OPTION,
  360.             ])) {
  361.                 $attribute substr($attribute0, -7);
  362.             }
  364.             if (\in_array($attribute, [
  365.                 self::OBJECT_CUSTOMER_INTERVIEW_FORM,
  366.                 self::OBJECT_CUSTOMER_INTERVIEW_NOTE,
  367.                 self::OBJECT_CUSTOMER_GOAL_TIME,
  368.                 self::OBJECT_CUSTOMER_INVOICE,
  369.                 self::OBJECT_CUSTOMER_TRANSACTION,
  370.                 self::OBJECT_CUSTOMER_MESSAGE,
  371.                 self::OBJECT_CUSTOMER_LETTER,
  372.                 self::OBJECT_CUSTOMER_FILE,
  373.                 self::OBJECT_CUSTOMER_EVENT,
  374.                 self::OBJECT_CUSTOMER_EVENT_COMMENT,
  375.                 self::OBJECT_CUSTOMER_UPSELL_REQUEST,
  376.                 self::OBJECT_CUSTOMER_UPSELL_REQUEST_COMMENT,
  377.                 self::OBJECT_CUSTOMER_TAX_RETURN,
  378.                 self::OBJECT_CUSTOMER_TAX_RETURN_COMMENT,
  379.                 self::OBJECT_CUSTOMER_COMPLAINT,
  380.                 self::OBJECT_CUSTOMER_COMPLAINT_COMMENT,
  381.                 self::OBJECT_CUSTOMER_STATUS_LOG,
  382.                 self::OBJECT_CUSTOMER_RATING_LOG,
  383.                 self::OBJECT_CUSTOMER_REQUEST,
  384.             ])) {
  385.                 $attribute self::OBJECT_CUSTOMER;
  387.                 if (AccessRoleType::DELETE === $action) {
  388.                     $action AccessRoleType::EDIT;
  389.                 }
  390.             }
  392.             // access to record
  393.             if ($user->hasEntityAccess(substr(strtolower($attribute), 7), $action)) {
  394.                 return true;
  395.             }
  396.         }
  398.         return false;
  399.     }
  400. }